Plattform
wordpress
Komponente
advanced-product-fields-for-woocommerce
Behoben in
1.6.18
A Cross-Site Request Forgery (XSRF) vulnerability exists in the Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress. This flaw, present in versions 1.0.0 through 1.6.17, allows unauthenticated attackers to duplicate and publish product field groups. The vulnerability stems from insufficient nonce validation within the 'maybe_duplicate' function, enabling malicious actions if an administrator is tricked into clicking a forged link. A patch is available in version 1.6.18.
Successful exploitation of CVE-2025-13924 allows an attacker to forge requests and duplicate product field groups within a WooCommerce store. This can lead to the creation of unauthorized product field configurations, potentially disrupting the product creation process or introducing unexpected behavior. An attacker could publish draft or pending field groups, potentially injecting malicious content or altering product behavior. While direct data theft isn't the primary impact, the ability to manipulate product configurations can have significant operational consequences for e-commerce businesses. The blast radius is limited to the affected WooCommerce store and its administrative users.
This vulnerability was publicly disclosed on December 9, 2025. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 indicates a medium severity, suggesting a moderate likelihood of exploitation if a suitable PoC becomes available.
E-commerce businesses utilizing the Advanced Product Fields (Product Addons) for WooCommerce plugin are at risk. Specifically, sites with multiple administrators or those where administrators frequently click on links from untrusted sources are more vulnerable. Shared hosting environments where plugin updates are not consistently applied are also at increased risk.
• wordpress / composer / npm:
grep -r 'maybe_duplicate' /var/www/html/wp-content/plugins/advanced-product-fields-for-woocommerce/• wordpress / composer / npm:
wp plugin list --status=active | grep 'Advanced Product Fields'• wordpress / composer / npm:
wp plugin update advanced-product-fields-for-woocommerce• wordpress / composer / npm:
wp plugin status advanced-product-fields-for-woocommercedisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13924 is to immediately upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding practices within your custom WooCommerce development. While a direct WAF rule is difficult to implement, monitor for unusual product field duplication requests. After upgrading, confirm the fix by attempting to duplicate a product field group as an unauthenticated user – the action should be denied.
Aktualisieren Sie auf Version 1.6.18 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13924 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Advanced Product Fields plugin for WooCommerce, allowing attackers to duplicate product field groups via forged requests.
You are affected if you are using Advanced Product Fields for WooCommerce versions 1.0.0 through 1.6.17. Upgrade to 1.6.18 to mitigate the risk.
Upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If immediate upgrade is not possible, implement stricter input validation and output encoding.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13924, but vigilance is advised.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.